How can we help you today?

Using fingerprint sensors

A

Alexander Weibust

started a topic
12 months ago

Today you have to use a PIN code to pay if the amount is over 250 SEK, are you developing a solution to verify your payment by using a fingerprint scanner on your phone instead?
That would make your app even better, faster and more convenient!

And while you're at it, could you add the possibility to identify you when paying at Willys via the fingerprint scanner instead of using the WIllys card or drivers license? So annoying to have to get a card out, the phone is already in the hand!

Thomas Fišer

said
10 months ago

If I were in your place (and I am) I'd stay away from fingerprint authentication where payments is concerned. Most fingerprint sensors on current mobiles don't have the resolution to detect copied fingerprints. Also none I know of support living detection,i.e. can tell a living finger from a silicone one.

T

Tobias “Tobe” Kejonen

said
9 months ago

Fingerprint is just as secure as a 4-digit pin. And if you're using Apples TouchID API it shouldn't be hard to implement Android fingerprint API.
My bank app, PayPal and entire Android system is using it. Would be mighty convenient if SEQR also would use it.
In the end, it's the users choise after all.

A

Alexander Weibust

said
9 months ago

By using Fingerprint Cards' fingerprint sensors it's even more secure than PIN codes. It has liveness detection so it can't be spoofed with silicone. And it's even quicker than Apple TouchID. Once you've tried you don't ever wanna go back. I own a Huawei Honor8 and it can also be used to blip my purchases. The progress Fingerprint Cards has made is amazing. They also offer iris recogniton after acquiring DeltaID from California.

T

Thomas Fišer

said
9 months ago

@Tobias: I disagree totally with your statement that a fingerprint is as secure as a pin. You leave your fingerprints everywhere, getting them is quite trivial. In contrast, you normally do NOT leave your pin everywhere you go (unless you are stupider than a retarded rock). To distribute your pin equally widely as you do your fingerprints, you'd literally have to carve it into the rubber of your shoe soles.

@Alexander: I know that the newer, high-resolution sensors with lifeness detection are becoming more and more the standard. However, there are still a lot of older devices with less capable finger print sensors around which are suitable solely for user convenience. Furthermore, and this is VERY important, the android api can not query the security features of the sensor used. In other words, there is no way to limit the use of fingerprint authentication to devices providing a suitably advanced sensor. Therefore, until and unless somebody, most likely Google, either exposes the capabilities of the sensor to the applications via the api or imposes a minimum requirement on fingerprint sensors and enforces it, I'd stick with my original statement that fingerprint authentication, at least at the moment, isn't a good choice for critical applications such as payment.

T

Tobias “Tobe” Kejonen

said
9 months ago

You leave your fingerprints all over the place like all humans on this planets does.
Chances of people getting my fingerprint from anywhere but my home is more unlikely to just bruteforce my pin.
And if somebody manages to enter my home I got more to worry about than someone making a fake finger to get into my phone..
Also in the end it's the users choice. It's the users choice to put 1234 as pin and it's the users choice to enable fingerprint.
I commend you for being sceptical to "new" technology but you shouldn't force people on your views.
It's more likely you'll get mugged and forced to give your pin than someone going through with something that may or may now work.

T

Thomas Fišer

said
9 months ago

@Tobias I'm not forcing my opinion on anyone, I'm merely trying to share my expertise and educate those willing to listen. If you chose not to partake in my knowledge, that's your own decision entirely.

On that note, I'm afraid you underestimate the professionalism with which criminal gangs go about their trade. Have you ever wondered why mugging and rubber hose cryptanalysis the way you suggest are not more common? The simple reason is, as soon as the victim realizes he has been robbed, it takes a mere phone call to invalidate the card in question. And yes, there have been cases when people were actually held prisoner for several days with the express purpose of raiding their credit cards without them being able to lock them. But I digress.

The main concern of credit card thieves is to keep the owner in the dark about the theft of their card for as long as possible. The main reason why pin skimmers are so popular with criminals is because the victim is kept in the dark about the theft. On that note, The abundance of the extremely complicated and painstakingly constructed pin skimming also tells a story about the extreme effort criminal gangs are willing to put into their heists. As Terry Pratchett puts it: "There are people who would invest two days of hard work to steal the amount money they could earn in one day of honest work".

As you conceded yourself, you leave your fingerprints everywhere, and so does everybody else. Where you are wrong is that you consider it impossible to obtain explicitly your fingerprints anywhere except in your home. It has been demonstrated numerous times that it is not only possible but quite simple to construct a situation where you can be made to leave a clear fingerprint that can be uneqivocally assigned to you. The perhaps best-known such exploit is the old "glass at the restaurant" trick.

If you consider the amount of energy needed to construct, install and service a pin skimmer, bribing a waitress to steal used glasses and text pictures of the user to an accomplice outside is practically effortless. Similar schemes are possible wherever an an object with a durable glossy surface, which is usually clean before use and used exclusively by one person can be ascribed to you. The coffee cup on your desk. The plastic wrapper of your boxed lunch. The plastic cap of your coffee to go. Possibilities are endless.

That leaves me to commend you on your enthusiasm for new technologies. By heart, I also am an enthusiast like you. That I come across as a naysayer sometimes is just due to the fact that I see every day that people enthusiastically use technology they do not fully understand the consequences and pitfalls of. You say it's the user's own choice to activate the fingerprint authentication - but does the user really understand all the implications and limitations?